inserting special chracters into mysql using perl

Question

hi i am very new to perl.. I have a temp_data.txt file like this

Id    Comments
--------------------------------
1      this is a 'comment'
2      special comment
3      user comment 'user'
-----------------------------------


  open (MYFILE, 'temp_data.txt');
while (<MYFILE>) {
if($_=~/^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.+)/)
{
    $id=$1;    
    $comment = $2;
}

while(<MYFILE>)
{
    $line=$_;
    if($line=~/^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.+)/)
    {
        seek(MYFILE, -length($_), 1);
        last;
}
    else
    {           if($_=~/\s*(.*)/)
        {
            $comment .=$1;

        }
    }
}

my $queryString = "INSERT INTO Headline (id,comment) VALUES ('$id', ' $comment')";

$sth = $dbh->prepare($queryString);
$sth->execute() or die $DBI::errstr;
$sth->finish();
}

but while inserting into data base if it encounters a special character throwing a error like this.

DBD::mysql::st execute failed: You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near 'comment')' at line 1 at head.pl line 1.

can anyone help me? thanks in advance

Answer 1

Maybe, the data, you are inserting has special symbols. Use parametrized queries for this (it will protect you from SQL injection):

my $queryString = "INSERT INTO Headline (id,comment) VALUES (?, ?)";

$sth = $dbh->prepare($queryString);
$sth->execute($id, $comment) or die $DBI::errstr;
$sth->finish();